Playing with Google Authenticator and Oracle Cloud – Securing SSH to Oracle account with two factor authentication

Increase security when connecting via SSH to the Oracle OS account at Oracle Cloud by implementing two factor authentication (TFA or 2FA).

The Environment

Oracle Cloud Instance

OS: Oracle Linux 6.9

The Implementation

For this exercise we will implement Google Authenticator as our TFA solution in our Oracle Cloud Instance and configure it to secure the Oracle OS account.

Note: Google Authenticator doesn’t connect to Google when authenticating — all the work happens on your SSH server and your phone. Google Authenticator is a open-source software, that means you can check the codes yourself.

Step 1 – Install dependencies for Google Authenticator Module

The first step would be to connect to your server, in this case our Instance at Oracle Cloud as root and as shown bellow install the required dependency package “pam-devel”, by running:

Enter y [yes] when asked to disallow multiple uses of the same authenticationtoken

Enter y [yes] when asked to confirm that tokens are good for 30 seconds and in order to compensate forpossible time-skew between the client and the server

Enter y [yes] when asked to limit attackers to no more than 3 login attempts every 30s

Note 1: Please save the Secret Key due that we will require it later

Note 2: Save the emergency scratch codes, due that you never know when you will require one 😉

Note 3: Please keep the page with the secret code open, if not the key will not work when entering it to the app later – if closed just connect to user Oracle and run the command to install and configure google authenticator again (step 4).

Step 5: Configure SSH to use Google Authenticator PAM Module

Connect as root again and open your PAM configuration file /etc/pam.d/sshd (Using vi /etc/pam.d/sshd), then add the following line at the top of the file:

Why showing 4 commands? Because depending on your Linux distribution, some refers SSH Daemon as SSHD, some as SSH, some got service module installed, some requires you to go into /etc/init.d folder and restart SSH service manually.

Note: Do not forget to set a password to the user Oracle if not done previously.

$ passwd oracle

Step 6: Configure your SmartPhone for Google Authenticator App

Now is time to install the Google Authenticator app on your phone and configure it. You can download it from:

Assuming you managed to install the App properly, Launch your Google Authenticator app in your SmartPhone (My example would be with iOS).

Click on Begin Setup at the bottom of the screen and select Manual Entry.

Enter an Account Name that would easily identify it for you, and enter the Secret Key generated when you installed and configured Google Authenticator on step 4, then click ok on the top right of the screen.

Hi David, Thank you so much for your kind words. Regarding your question it can be implemented on any Cloud environment and on premise also. I have implemented on many on premises environments before with success . You can implement it to any OS user and also use the same authentication on diferente servers by installing everything on the other servers and copying your initial .google_authenticator file to the servers . This way you can use your code to access all your servers instead to have a code to each one .